You described pretty well what you did on configuring the Policy Store (where domain object, realm, rule, policies... are stored). What about the User Store? Is it properly configured?

If you suppose all configurations are ok, you could use the Test Tool to help you on basic troubleshooting. Using Test Tool, you can connect to an agent, and check whether policies are working, issuing actions such as "Is Protected?", "Is Authenticated?", and "Is Authorized?".

if setting headers is attached to Authentication, you only have headers set at this time. if someone uses tamperdattta or something similar it is easy to play and sometimes assume another identity in anything you integrate with.

if you switch to Authorization, you now set it on all authorizations, which is likely a bit more secure, and has a litttle more overhead, but for most things, is not going to be noticeable.

Finally you can tie to a get/post (and other actions). this will reset them on the way in on EVERY access. yes it's the most overhead but it's also the most secure. if your app isn'tso sensitive that this cannot be done, i would suggest it. also, you can then drop to one rule as this will function for both Authentication and Authorization.